in reply to Cookies & Encryption

MD5 is not an encryption algorithm. It's a fingerprinting system. If two pieces of data have the same MD5 fingerprint, it's very, very likely that they're the same. For example, the CPAN module uses MD5 to make sure (well, sort of sure) that the module that it just downloaded is the module that the author uploaded, and not some l33t d00d's attempt to break into your computer. MD5 is not in itself a digital signature system, though, since anyone can generate an MD5 digest of a piece of data. There is no secret key.

In the past, I've created systems where one would store, say, the username in the cookie, plus a digest of the username plus some secret phrase. Anyone could read the cookie, but it would be slightly harder to tamper with it, since the hash would no longer match up.

use strict; use Digest::MD5 qw(md5_base64); use constant SECRET_PHRASE => 'myzylplyk'; warn "This method is not secure!\n"; # Turn 'angela' into quasi-signed cookie my $cookie = generate_cookie('angela'); print "Cookie for 'angela' is: '$cookie'\n"; # Turn quasi-signed cookie back into angela print "Translating back: "; print "ok\n" if get_username($cookie) eq 'angela'; # See what happens if we turn angela into mary $cookie =~ s/angela/mary/; print "Gonna die now\n"; my $username = get_username($cookie); sub make_hash { my ($username) = @_; return md5_base64($username . SECRET_PHRASE); } sub generate_cookie { my ($username) = @_; my $enc_hash = make_hash($username); return "$username:$enc_hash"; } # Returns the username if all checks out, # dies horribly otherwise sub get_username { my ($cookie) = @_; my ($username, $digest) = split(/:/, $cookie); make_hash($username) eq $digest or die "Hack attack! Username '$use +rname' doesn't match hash\n"; return $username; }

This method is NOT secure. Someone could sniff packets, read the cookie, and take over someone else's identity. You could add a timestamp to the cookie to patch it slightly... but it would still be possible to do some serious damage by simply grabbing a cookie and using it immediately. You could add an IP address, but... the list goes on and on.

You'll probably do better using a Crypt:: module. You can use the MIME::Base64 module to translate the hi-ascii characters to something relatively web-safe. Or use HTTPS.